Globally Limiting
Intrusion Event Logging

Global Rule
Thresholding Basics

The global rule threshold sets limits for event logging by an intrusion policy.
You can set a global rule threshold across all traffic to limit how often the
policy logs events from a specific source or destination and displays those
events per specified time period. You can also set thresholds per shared object
rule, standard text rule, or preprocessor rule in the policy. When you set a
global threshold, that threshold applies for each rule in the policy that does
not have an overriding specific threshold. Thresholds can prevent you from
being overwhelmed with a large number of events.

Every intrusion policy
contains a default global rule threshold that applies by default to all
intrusion rules and preprocessor rules. This default threshold limits the
number of events on traffic going to a destination to one event per 60 seconds.

For example, you
might set a global limit threshold of five events every 60 seconds, but then
set a specific threshold of ten events for every 60 seconds for SID 1315. All
other rules generate no more than five events in each 60-second period, but the
system generates up to ten events for each 60-second period for SID 1315.

Tip

A global or individual threshold on a managed device with
multiple CPUs may result in a higher number of events than expected.

The following diagram demonstrates how the global rule
thresholding works. In this example, an attack is in progress for a specific
rule. The global limit threshold is set to limit event generation for each rule
to two events every 20 seconds. Note that the period starts at one second and
ends at 21 seconds. After the period ends, the cycle starts again and the next
two rule matches generate events, then the system does not generate any more
events during that period.

Global Rule
Thresholding Options

The default threshold limits event generation for each rule to one
event every 60 seconds on traffic going to the same destination. The default
values for the global rule thresholding options are:

Type — Limit

Track
By — Destination

Count — 1

Seconds — 60

You can modify these default values as follows:

Table 1. Thresholding Types

Option

Description

Limit

Logs and displays events for the specified number of packets
(specified by the count argument) that trigger the rule during the specified
time period.

For example, if you set the type to
Limit, the
Count to
10, and the
Seconds to
60, and 14 packets
trigger the rule, the system stops logging events for the rule after displaying
the first 10 that occur within the same minute.

Threshold

Logs and displays a single event when the specified number of
packets (specified by the count argument) trigger the rule during the specified
time period. Note that the counter for the time restarts after you hit the
threshold count of events and the system logs that event.

For example, you set the type to
Threshold,
Count to
10, and
Seconds to
60, and the rule
triggers 10 times by second 33. The system generates one event, then resets the
Seconds and Count counters to
0. The rule then
triggers another 10 times in the next 25 seconds. Because the counters reset to
0 at second 33, the
system logs another event.

Both

Logs and displays an event once per specified time period, after
the specified number (count) of packets trigger the rule.

For example, if you set the type to
Both,
Count to
2, and
Seconds to
10, the following
event counts result:

If the rule is triggered once in 10 seconds, the system does not
generate any events (the threshold is not met)

If the rule is triggered twice in 10 seconds, the system
generates one event (the threshold is met when the rule triggers the second
time)

If the rule is triggered four times in 10 seconds, the system
generates one event (the threshold is met when the rule triggered the second
time and following events are ignored)

The
Track By option determines whether the event
instance count is calculated per source or destination IP address.

You can also specify the number of instances and time period that
define the threshold, as follows:

Table 2. Thresholding Instance/Time Options

Option

Description

Count

For a
Limit threshold,
the number of event instances per specified time period per tracking IP address
or address range required to meet the threshold.

For a
Threshold
threshold, the number of rule matches you want to use as your threshold.

Seconds

For a
Limit threshold,
the number of seconds that make up the time period when attacks are tracked.

For a
Threshold
threshold, the number of seconds that elapse before the count resets. If you
set the threshold type to
Limit, the
tracking to
Source,
Count to 10, and
Seconds to 10,
the system logs and displays the first 10 events that occur in 10 seconds from
a given source port. If only seven events occur in the first 10 seconds, the
system logs and displays those, if 40 events occur in the first 10 seconds, the
system logs and displays 10, then begins counting again when the 10-second time
period elapses.

Configuring Global
Thresholds

Smart
License

Classic
License

Supported
Devices

Supported
Domains

Access

Threat

Protection

Any

Any

Admin/Intrusion Admin

In a multidomain deployment, the system displays policies
created in the current domain, which you can edit. It also displays policies
created in ancestor domains, which you cannot edit. To view and edit policies
created in a lower domain, switch to that domain.

Procedure

Step 1

Choose
Policies > Access
Control > Intrusion.

Step 2

Click the edit icon ()
next to the policy you want to edit.

If a view icon ()
appears instead, the configuration belongs to an ancestor domain, or you do not
have permission to modify the configuration.

Disabling the Global
Threshold

You can disable global thresholding in the highest policy layer
if you want to threshold events for specific rules rather than applying
thresholding to every rule by default.

In a multidomain deployment, the system displays policies
created in the current domain, which you can edit. It also displays policies
created in ancestor domains, which you cannot edit. To view and edit policies
created in a lower domain, switch to that domain.

Procedure

Step 1

Choose
Policies > Access
Control > Intrusion

Step 2

Click the edit icon ()
next to the policy you want to edit.

If a view icon ()
appears instead, the configuration belongs to an ancestor domain, or you do not
have permission to modify the configuration.